|
1 day ago | |
---|---|---|
.github | 3 weeks ago | |
cmake | 4 months ago | |
docker | 1 month ago | |
docs | 3 weeks ago | |
images | 2 years ago | |
man | 3 weeks ago | |
resources | 1 year ago | |
scripts | 2 months ago | |
snap | 10 months ago | |
src | 1 day ago | |
tests | 2 weeks ago | |
tools | 3 weeks ago | |
.clang-format | 1 year ago | |
.editorconfig | 1 year ago | |
.gitattributes | 1 year ago | |
.gitignore | 7 months ago | |
.lgtm.yml | 10 months ago | |
CHANGELOG.md | 1 week ago | |
CMakeLists.txt | 1 month ago | |
CONTRIBUTING-TOOLS.md | 2 years ago | |
INSTALL.md | 2 months ago | |
LICENSE | 2 years ago | |
README.md | 3 weeks ago | |
Vagrantfile | 2 days ago | |
build-debug.sh | 1 year ago | |
build-docker-image.sh | 1 year ago | |
build-release.sh | 1 month ago | |
build.sh | 3 years ago |
bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson.
To learn more about bpftrace, see the Reference Guide and One-Liner Tutorial.
The following one-liners demonstrate different capabilities:
# Files opened by process
bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); }'
# Syscall count by program
bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
# Read bytes by process:
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); }'
# Read size distribution by process:
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }'
# Show per-second syscall rates:
bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @ = count(); } interval:s:1 { print(@); clear(@); }'
# Trace disk size by process
bpftrace -e 'tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); }'
# Count page faults by process
bpftrace -e 'software:faults:1 { @[comm] = count(); }'
# Count LLC cache misses by process name and PID (uses PMCs):
bpftrace -e 'hardware:cache-misses:1000000 { @[comm, pid] = count(); }'
# Profile user-level stacks at 99 Hertz, for PID 189:
bpftrace -e 'profile:hz:99 /pid == 189/ { @[ustack] = count(); }'
# Files opened, for processes in the root cgroup-v2
bpftrace -e 'tracepoint:syscalls:sys_enter_openat /cgroup == cgroupid("/sys/fs/cgroup/unified/mycg")/ { printf("%s\n", str(args->filename)); }'
More powerful scripts can easily be constructed. See Tools for examples.
For build and install instructions, see INSTALL.md.
bpftrace contains various tools, which also serve as examples of programming in the bpftrace language.
For more eBPF observability tools, see bcc tools.
See the Reference Guide for more detail.
For additional help / discussion, please use our discussions page.
Have ideas for new bpftrace tools? CONTRIBUTING-TOOLS.md
Bugs reports and feature requests: Issue Tracker
bpftrace development IRC: #bpftrace at irc.oftc.net
For development and testing a Vagrantfile is available.
Make sure you have the vbguest
plugin installed, it is required to correctly
install the shared file system driver on the ubuntu boxes:
$ vagrant plugin install vagrant-vbguest
Start VM:
$ vagrant status
$ vagrant up $YOUR_CHOICE
$ vagrant ssh $YOUR_CHOICE
Copyright 2019 Alastair Robertson
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.